Mac researcher tries detecting ransomware generically by spotting behavior patterns

Researcher Patrick Wardle created a new tool, albeit a flawed one, that detected strains of Mac-based ransomware by spotting certain telltale behaviors.
Researcher Patrick Wardle created a new tool, albeit a flawed one, that detected strains of Mac-based ransomware by spotting certain telltale behaviors.

Less than two months after cybersecurity experts identified KeRanger as the first fully functioning ransomware targeting OS X, an enterprising researcher has chronicled his own attempt at creating a behavior-based ransomware detection tool for Mac computers.

The tool's creator, Patrick Wardle, believes it to be the first anti-malware solution specifically designed to identify and detect certain distinct behaviors commonly exhibited by ransomware applications, Mac-based or otherwise. To put it another way, “If we can monitor the file systems and detect the rapid creation of encrypted files by untrusted processes, then maybe we can generically detect ransomware” on an individual's computer, said Wardle, a former NSA employee and current director of research at Redwood City, Calif.-based cybersecurity firm Synack, in an interview with SCMagazine.com.

Because signature-based malware detection solutions can only stop known threats with identifiable properties, many cybersecurity experts predict that tomorrow's solutions will need to incorporate heuristic and behavioral analysis into their repertoires in order to catch new, previously unseen malicious code. To that end, Wardle on Wednesday introduced his ransomware detection tool “RansomWhere?” on his independent Objective-See blog.

Wardle fully acknowledged that his tool contains numerous flaws, one of which a fellow security researcher was already able to exploit. However, his solution is not intended to be a panacea, he contended, but rather a starting point that provokes the cybersecurity community to continue searching for innovative new ways to stop the current ransomware scourge, especially before it spreads to Mac-based systems.

“There's no technical reason we're not seeing Mac ransomware,” said Wardle. “We'll likely see it soon.”

RansomWhere? ostensibly operates in three phases: First, it monitors input/output events, looking for newly created or modified files. Next, the solution analyzes if a rogue program is starting to encrypt a machine's contents by searching for highly randomized bytes within files—a telltale indicator. Finally, the solution determines whether the software executing the encryption is legitimate, allowing the program to continue if Apple signed the process' binary or if the app was already installed before RansomWhere? was. If the app is untrusted, the user will receive a notification asking to officially approve the program, allowing the user to proceed in the event of a false positive scenario.

According to Wardle, a test of his own program managed to stop KeRanger as well as Gopher, a proof-of-concept Mac ransomware created by researcher Pedro Vilaca.

However, that does not mean RansomWhere? is anywhere near a polished, proven product ready for mass distribution. For starters, the tool is reactive, responding only after the encryption process commences. This means a small number of files—perhaps three or four—will be impacted before the ransomware is confirmed and halted. Moreover, the tool contains several notable flaws that hackers could quickly exploit by making subtle tweaks to their ransomware coding.

Case in point: Forbes consulted with the aforementioned Vilaca, who was able to defeat RansomWhere? with his Gopher ransomware using just 10 lines of code. Because the tool only protects files within a machine's home directory, Vilaca in his own test was able to move files out of said directory and subsequently encrypt them. Wardle himself admitted this and other weaknesses in both his blog post and his interview. Vilaca beat the tool with 10 lines of code, but I can do it in one or two,” Wardle told SCMagazine.com.

Still, Vilaca said it wasn't the blog post that brought the directory flaw to his attention. He, too, has been looking into potential anti-ransomware solutions and so RansomWhere?'s “design issues and problems are very familiar” to him, Vilaca told SCMagazine.com via email. Furthermore, “I got a couple more ideas to escape its detection, so in a real-world scenario, a reasonable ransomware gang would be able to update its methods fast to bypass it.”

Vilaca complimented the tool as an “interesting proof of concept exercise” and commended Wardle for acknowledging its flaws, but expressed concern that Mac users might mistakenly think RansomWhere? is a market-ready product, which it is “definitely not.”

“Ransomware is an extremely hard problem to solve in a generic way,” said Vilaca, and it almost always ends in the same conclusion: “There is a huge tradeoff to be made between security and usability. And this is hard to implement as the Windows Vista experience has shown in the past with all the annoying password prompts.”

Wardle intends to fix the home directory issue and other vulnerabilities in successive iterations of his new tool. He also defended his creation saying any anti-ransomware software program can be defeated if a cybercriminal specifically targets its weak points.

Several other industry experts weighed in on the tool as well.

Gil Barak, CTO at Israeli cybersecurity firm SECDO, told SCMagazine.com via email that RansomWhere? is “not a bad idea, but it is not a ransomware killer by any means.” Barak said that today's more sophisticated ransomware already has demonstrated ways to potentially evade some of the techniques employed by the tool.

For instance, some ransomware variants running in the Windows environment can avoid detection by encrypting only small, critical portions of a file, or not encrypting a file directly (instead they delete the original file and create a new encrypted version). “But the technique that is used by most new ransomware families (e.g. CryptoWall and Locky) that completely breaks this concept is impersonation,” said Barak. “Instead of encrypting files directly, these variants inject or load themselves into existing known vendor processes such as Microsoft svchost.exe, or run the encryption routine as a macro script directly from a Power Point presentation, effectively impersonating a valid vendor.”

Zach Lanier, director of research at Irvine, Calif.-based cybersecurity firm Cylance, also reviewed the tool. “It's a good idea, but it's very, very immature, all things considered,” Lanier said in an interview with SCMagazine.com. In its current form, it might be a useful tool for an individual user, but “I wouldn't go into a financial institution with this,” he continued.

“It strikes me more as a nice, altruistic thing that this researcher has done,” he continued, “and maybe it will inspire other ideas and make the industry and community at large think about ways to address emerging threats.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS